Method And Device For Monitoring A Memory Unit In A Mutliprocessor System

ABSTRACT

A method and device for monitoring a memory unit in a system including at least two processing units, a switchover arrangement being included that allows switching between at least two operating modes of the system, the device being arranged to log the memory content and/or the operating mode in which the memory content was generated.

FIELD OF THE INVENTION

The present invention relates to a method and device for monitoring amemory unit in a multiprocessor system.

BACKGROUND INFORMATION

In technical applications, such as, in particular, in motor vehicles orin the industrial goods sector, that is, for example, in the machineryand automation sectors, an increasing number of microprocessor orcomputer-based, closed-loop and open-loop control systems are being usedfor safety-critical applications. Today, dual-processor systems (dualcores) are computer systems commonly used for safety-criticalapplications, especially in motor vehicles, for example for antilocksystems, the electronic stability program (ESP), X-by-wire systems, suchas drive-by-wire or break-by-wire, etc., or for other networked systems.In order to meet these high safety requirements in future applications,powerful fault mechanisms and fault handling mechanisms are required,especially to cope with transient faults, which may occur, for example,when reducing the size of the semiconductor structures of the computersystems. In this context, it is relatively difficult to protect the coreitself, i.e., the processor. As mentioned above, one solution for thisis to use a dual-processor system, or dual-core system, for faultdetection.

Such processor units having at least two integrated execution units aretherefore known as dual-core or multi-core architectures. In the currentprior art, such dual-core or multi-core architectures are proposedmainly for two reasons:

First of all, they allow performance to be enhanced, i.e., increased, byregarding and treating the two execution units or cores as twoprocessing units on one semiconductor device. In this configuration, thetwo execution units or cores execute different programs or tasks,respectively. This makes it possible to increase performance, andtherefore this configuration is termed performance mode.

The second reason for implementing a dual-core or multi-corearchitecture is to increase safety by the two execution unitsredundantly executing the same program. The results of the twoexecutions units or CPUs, i.e., cores, are compared, and a fault can bedetected in the conformity-check comparison. In the following, thisconfiguration will be referred to as “safety mode” or also as “faultdetection mode”.

Thus today, on the one hand; there are dual-processor or multiprocessorsystems which work redundantly in order to detect hardware faults (seedual-core or master-checker systems) and, on the other hand, there aredual-processor or multiprocessor systems which process different data intheir processors. If these two operating modes are now combined in adual-processor or multiprocessor system, the two processors must receivedifferent data when in the performance mode and identical data when inthe fault detection mode (for the sake of simplicity, only the term“dual-processor system” will be used hereinafter, but the followinginvention is also applicable to multiprocessor systems).

The clock frequency of today's processors is typically significantlyhigher than the frequency with which a memory, especially an externalmemory, can be accessed. Cache memories are used to compensate for thistime lag. The interaction of such a fast buffer memory with acorresponding main memory then allows access times to be significantlyreduced.

In particular, when implementing dual-processor (dual-core) systems, onecache is provided for each processor. In the system, caches are used asfast intermediate memories to eliminate the need for the processor toalways have to retrieve the data from the slow main memory. To make thispossible, the access time of a cache must be paid particular attentionto during the implementation thereof. The access time is made up of theactual access time for retrieving the data from the cache and the timefor transferring the data to the processor.

In a multiprocessor system, in particular in a dual-processor systemhaving 2 processors, a plurality of processors executes the same ordifferent tasks. If they execute different tasks, usually, a cache iscoupled between the processor and the main memory for each processor,respectively. The cache is needed to decouple the different operatingspeeds of the main memory and the processor. When the dual-processorsystem operates in the mode in which the two processors executedifferent tasks, then the caches of the processors are loaded withdifferent data. When switching over to safety mode, in which theprocessors execute the same tasks and the output data are compared, thecache content must be deleted or marked invalid prior to switching over.

SUMMARY OF THE INVENTION

An object of the present invention is to provide a method and device,and an implementation, for avoiding this performance-reducing drawbackso as to eliminate the need to completely delete the cache or invalidateit each time a switchover is made from performance mode to safety mode.

Such an implementation has not been previously described. Theimplementation enables efficient operation of dual-processor system, sothat switching can be done in both the safety and performance modesduring operation without reducing performance. The term “processors”, asused hereinafter, is understood to also include cores or processingunits.

To achieve this object, the present invention discloses a method anddevice for monitoring a memory unit in a system including at least twoprocessing units, a switchover arrangement being included that allowsswitching between at least two operating modes of the system, the devicebeing arranged to log the memory content and/or the operating mode inwhich the memory content was generated. The present invention alsodiscloses a corresponding system and a corresponding memory unit, inparticular, a cache memory.

Logging of what was written into the cache at what time eliminates theneed to mark the complete data as invalid when a mode switch is made.Therefore, the cache does not need to be reloaded so often, and theperformance of the overall system increases accordingly.

Furthermore, a unit for distributing data from at least one data sourceis provided in a system including at least two processing units, aswitchover arrangement (ModeSwitch) being included that allow switchingbetween at least two operating modes of the system, the unit beingdesigned such that the data distribution and/or the data source (inparticular, instr. memory, data memory, cache) is/are dependent on theoperating mode. Also disclosed is a system including such a unit.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a dual-processor system including a first processor 100, inparticular a master processor, and a second processor 101, in particulara slave processor.

FIG. 2 shows another view of the dual processor or dual core system.

FIG. 3 is a schematic view showing a switchable dual-processor systemwith the caches.

FIG. 4 shows an exemplary cache memory.

DETAILED DESCRIPTION

In the context of the exemplary embodiments and/or exemplary methods ofthe present invention, the first operating mode corresponds to a safetymode, in which the two processing units execute or process the sameprograms and/or data and in which a comparison arrangement is providedby which the states occurring during the execution of the same programsare checked for conformity.

The unit and method according to the present invention allows the twomodes to be implemented in a dual-processor system without reducing thecache utilization performance.

When the two processors operate in the fault detection mode (F mode),then the two processors receive the same data/instructions, and whenoperating in the performance mode (P mode), each processor can accessthe memory. Then, this unit manages the accesses to the only oneexisting memory or peripheral equipment.

In the F mode, the unit reads the data/addresses of one processor(herein referred to as “master”) and forwards the same to componentssuch as the memory, bus, etc. The second processor (hereinafter “slave”)wishes to make the same access. The data distribution unit receives thisrequest at a second port, but does not forward it to the othercomponents. The data distribution unit transfers to the slave the samedata as those transferred to the master and compares the data of the twoprocessors. If these data are different, then the data distribution unit(hereinafter “DDU”) will indicate this by an error signal. Thus, onlythe master operates on the bus/memory, and the slave receives the samedata (the operation is similar to that of a dual-core system).

In the P mode, the two processors execute different program parts. Thememory accesses are therefore also different. Thus, the DDU receives therequests of the processors and returns the results/requested data to therequesting processor. If now both processors wish to access a componentsimultaneously, then one processor is put to a waiting state until theother is served.

Switching between the two modes, and thus between the different methodsof operation of the data distribution unit, is accomplished by a controlsignal. The control signal can be generated either by one of the twoprocessors, or externally.

Thus, in accordance with the present invention, a distinction is madebetween a performance mode and a safety mode, as far as operating modesare concerned, and the logging includes recording which memory contentwas generated in the performance mode. Also or instead, the loggingadvantageously includes recording which memory content was generated inthe safety mode. For logging purposes, it is possible to create a table,and to evaluate the table as a function of a mode signal indicative ofthe operating mode of at least one processing unit.

With respect to the memory content, data are advantageouslydistinguished from other memory contents, in particular instructions,and the table additionally logs whether the data were changed in thememory unit in the performance mode and/or in the safety mode.

It is a particular advantage that the logging additionally includesrecording whether the respective memory content is valid. This allowsall memory contents, especially all data, to be invalidated whenstarting the processing units.

Advantageously, one memory unit is provided for each processing unit,and the logging is performed for each memory unit, and, in addition, acomparison of the log is made for each memory unit. In particular, onlyone table is created for the two processing units during logging, or onetable is created for each processing unit during logging, in which casethe table entries are interchangeable between the tables.

It is advantageous that the table entries are checked for conformity. Itis also advantageous that the validity information is evaluated in thesafety mode.

If, in the F mode, the dual-processor system is operated with a clockoffset and, when in the P mode, it is not, then the DDU unit delays thedata for the slave accordingly, or stores the output data of the masteruntil they can be compared to the output data of the slave for faultdetection purposes.

The clock offset will be explained in more detail with reference to FIG.1.

FIG. 1 shows a dual-processor system including a first processor 100, inparticular a master processor, and a second processor 101, in particulara slave processor. The entire system is operated with a predeterminableclock pulse, i.e., in predeterminable clock cycles (CLK). The clockpulse is supplied to the system via clock input CLK1 of processor 100and via clock input CLK2 of processor 101. Moreover, this dual-processorsystem includes, by way of example, a special feature for faultdetection, namely that first processor 100 and second processor 101operate with a time offset, in particular a predeterminable time offsetor a predeterminable clock offset. In this context, any time may bespecified for a time offset and any clock pulse may be specified withrespect to an offset of the clock cycles. This may be an integral clockcycle offset, but also, for example, an offset of 1.5 clock cycles, asillustrated in this example, in which first processor 100 operates or isoperated 1.5 clock cycles ahead of second processor 101. This offsetprevents so-called common mode failures from affecting the processors,i.e., the cores or the dual-core system, in the same manner, as a resultof which the common mode failures would remain undetected. That is, dueto the offset, such common mode failures affect the processors atdifferent points in the program execution and, therefore, have differenteffects on the two processors, as a result of which faults becomedetectable. Without a clock offset, identical fault effects wouldpossibly not be detectable in a comparison. This is prevented in thismanner. In order to implement this offset with respect to time or clockpulse, here in particular 1.5 clock cycles, in the dual-processorsystem, there are implemented offset blocks 112 through 115.

In order to detect the common mode failures, this system is designed,for example, to operate with a predetermined time offset or clock cycleoffset, here in particular 1.5 clock cycles; i.e., while one processor,for example processor 100, accesses the components, in particularexternal components 103 and 104, directly, second processor 101 operateswith a delay of exactly 1.5 clock cycles with respect thereto. In thiscase, in order to generate the desired one-and-a-half cycle delay, i.e.,the delay of 1.5 clock cycles, processor 101 is supplied with theinverted clock, i.e., the inverted clock pulse at clock input CLK2.Because of this, however, the aforementioned ports of the processor,i.e., its data and instructions through the buses, must also be delayedby the above-mentioned clock cycles, i.e., here in particular 1.5 clockcycles, for which purpose offset or delay blocks 112 through 115 areprovided, as mentioned earlier. In addition to the two processors 100and 101, there are provided components 103 and 104, which are incommunication with the two processors 100 and 101 via buses 116,including bus lines 116A and 116B and 116C, as well as 117, includingbus lines 117A and 117B. 117 is an instruction bus, where an instructionaddress bus is denoted by 117A and the sub-instruction (data) bus isdenoted by 117B. Address bus 117A is connected via an instructionaddress port IA1 (Instruction Address 1) to processor 100 and via aninstruction address port IA2 (Instruction Address 2) to processor 101.The instructions themselves are transmitted via sub-instruction bus117B, which is connected via an instruction port I1 (Instruction 1) toprocessor 100 and via an instruction port I2 (Instruction 2) toprocessor 101. This instruction bus 117, which is formed by 117A ad117B, has interconnected therein a component 103, for example, aninstruction memory, in particular a safe instruction memory, or thelike. In this example, this component, especially as an instructionmemory, is also operated with clock pulse CLK. Furthermore, 116represents a data bus, which includes a data address bus or data addressline 116A and a data bus or data line 116B. 116A, i.e., the data addressline, is connected via a data address port DA1 (Data Address 1) toprocessor 100 and via a data address port DA2 (Data Address 2) toprocessor 101. Similarly, the data bus or data line 116B is connectedvia a data port DO1 (Data Out 1) and a data port DO2 (Data Out 2) toprocessor 100 and processor 101, respectively. Data bus line 116C isalso part of data bus 116, and is connected via a data port DI1 (Data In1) and a data port DI2 (Data In 2) to processor 100 and processor 101,respectively. This data bus 116, which is formed by lines 116A, 116B and116C, has interconnected therein a component 104, for example, a datamemory, in particular a safe data memory, or the like. In this example,this component 104 is also supplied with clock pulse CLK.

In this context, components 103 and 104 represent any components whichare connected via a data bus and/or instruction bus to the processors ofthe dual-processor system, and which may receive or output erroneousdata with respect to write operations and/or read operations accordingto the accesses via data and/or instructions of the dual-processorsystem. It is true that, in order to prevent errors, error detectiongenerators 105, 106 and 107 are provided, which generate an error code,such as a parity bit or other suitable error code, such as, for example,an error correction code, i.e., ECC, or the like. To this end, then,there are also provided corresponding error detection checkers orchecking devices 108 and 109, which are used to check the respectiveerror code, i.e., for example, the parity bit or other error code, suchas ECC.

The comparison of the data and/or instructions with respect to theredundant embodiment in the dual-processor system is performed incomparators 110 and 111, as shown in FIG. 1. However, if there existsnow a time offset, in particular a clock pulse or clock cycle offset,between processors 100 and 101, either caused by an asynchronousdual-processor system or, in a synchronous dual-processor system, byerrors in the synchronization process or, as in this particular example,by a time or clock cycle offset, here in particular 1.5 clock cycles,that is desired for fault detection purposes, then one processor, hereespecially processor 100, may write or read erroneous data and/orinstructions in components, especially external components, such ashere, for example, memories 103 or 104, in particular, or also withrespect to other stations or actuators or sensors, during this time orclock offset. Due to this clock offset, the processor may alsoerroneously perform, for example, a write access instead of an intendedread access. Of course, these scenarios lead to errors in the entiresystem, in particular without any possibility to clearly indicate whichdata and/or instructions have just been erroneously changed, which alsoleads to the problem of recovery.

In order to solve this problem, a delay unit 102 is interconnected inthe lines of the data bus and/or in the instruction bus, as shown. Forthe sake of clarity, only the interconnection in the data bus isillustrated. Of course, this is equally possible and conceivable withrespect to the instruction bus. This delay unit 102 delays the accesses,here especially the memory accesses, in such a way that a possible timeor clock offset is compensated for, especially when performing faultdetection, for example, using comparators 110 and 111, the accessesbeing delayed, for example, until the error signal is generated in thedual-processor system, i.e., until the fault detection is performed inthe dual-processor system. To this end, different variants can beimplemented: delaying the write and read operations, delaying only thewrite operations, and also, although not preferred, delaying the readoperations. In this context, using a change signal, in particular theerror signal, a delayed write operation can be converted to a readoperation in order to prevent erroneous writing.

An exemplary implementation with respect to the data distribution unit(DDU), which may be formed by a device for detecting the switchoverrequest (through IIIOPDetect), the Mode Switch unit and the Iram andDram control blocks, described below with reference to FIG. 2.

IIIOpDetect: The switchover between the two modes is detected by the“‘Switch Detect”’ units. This unit is located between the cache and theprocessor on the instruction bus and observes whether the IllOpinstruction is loaded into the processor. If this instruction isdetected, then this result is communicated to the Mode Switch unit. The“‘Switch Detect’ ” unit is provided for each processor separately. The“‘Switch Detect’ ” unit does not need to be fault-tolerant, because twosuch units are provided, which makes them redundant. On the other hand,it is possible to design this unit to be fault-tolerant and, therefore,as a single unit, but preference may be given to the redundant design.

ModeSwitch: Switching between the two modes is triggered by the “‘SwitchDetect’ ” unit. If a switchover is to be made from the lock mode to thesplit mode, both “‘Switch Detect’ ” units detect the switchover because,both processors execute the same program code in the lock mode. The“‘Switch Detect’ ” unit of processor 1 detects this 1.5 clock pulsesbefore the “‘Switch Detect’ ” unit of processor 2. The “‘Mode Switch’ ”unit halts processor 1 for 2 clock pulses with the aid of the waitsignal. 1.5 clock pulses later, processor 2 is also halted, but only fora half clock pulse, in order to be synchronized with the system clock.After that, the status signal is switched to split for the othercomponents, and the two processors continue to operate. In order for thetwo processors to execute different tasks, they must diverge in terms ofthe program code. This is accomplished by performing a read access tothe processor ID immediately after switching to the split mode. Thisread-out processor ID is different for each of the two processors. If acomparison is now made with a reference processor ID, the respectiveprocessor can then be taken to a different program location using aconditional jump instruction.

A switchover from the split mode to the lock mode will be detected byone processor, that is, by one of two processors first. This processorwill execute program code that contains the switching instruction. Thisis now detected by the “‘Switch Detect’ ” unit and communicated by it tothe Mode Switch unit. The Mode Switch unit halts the respectiveprocessor and communicates the request for synchronization to the secondprocessor using an interrupt. The second processor receives an interruptand can now execute a software routine to complete its task. Then, italso jumps to the program location containing the switching instruction.Then, its “‘Switch Detect’ ” unit also signals the mode switch requestto the Mode Switch unit. At the next rising edge of the system clock,the wait signal is deactivated for processor 1, and 1.5 clock pulseslater for processor 2. Then, both processors operate synchronously againwith a clock offset of 1.5 clock pulses.

When the system is in lock mode, both “‘Switch Detect’ ” units mustinform the Mode Switch unit that they wish to change to the split mode.If only one unit issues a switchover request, then the comparison unitswill detect the fault, because one of the two processors continues tosupply data to the comparison units, and the data do not match those ofthe halted processors.

When the two processors are in split mode and one processor does notswitch back to lock mode, then this can be detected by an externalwatchdog. If there is a trigger signal for each processor, the watchdognotices that the waiting processor is no longer sending any signals. Ifthere is only one watchdog signal for the processor system, then thetriggering of the watchdog may only take place in the lock mode.Consequently, the watchdog would detect that that the mode switch hasnot occurred. The mode signal is present as a dual-rail signal. In thiscontext, “‘10’” stands for the lock mode and “‘01’” stands for the splitmode. In the case of “‘00’” and “‘11’”, faults have occurred.

IramControl: Access to the instruction memory of the two processors iscontrolled by the IRAM Control, which must be safe, because it is asingle point of failure. The IRAM Control includes two finite automatonsfor each processor: in each case in the form of a clocked iram1clkresetand an asynchronous readiram1, respectively. In the safety-criticalmode, the finite automatons of the two processors monitor each other,and in the performance mode, they operate separately.

The reloading of the two caches of the processors is controlled by 2finite automatons. A synchronous finite automaton iramclkreset and anasynchronous readiram. These two finite automatons also distribute thememory accesses in the split mode. In this process, processor 1 has thehigher priority. After an access to the main memory by processor 1,processor 2 is given memory access authorization, if both processorswish to access the main memory again. These two finite automatons areimplemented for each processor. In the lock mode, the output signals ofthe automatons are compared to be able to detect any errors that mayoccur.

The data for updating cache 2 in the lock mode are delayed by 1.5 clockpulses in the IRAM control unit.

Bit 5 in register 0 of the SysControl encodes which core is concerned.For core 1, the bit is 0 and for core 2, it is high. This register ismirrored into the memory area having the address 65528.

In case of a memory access by core 2, it is first checked which mode theprocessor is in. If it is in the lock mode, its memory access issuppressed. This signal is present as a common-rail signal, because itis safety-critical.

The program counter of processor 1 is delayed by 1.5 clock pulses to beable to be compared to the program counter of processor 2 in the lockmode.

In the split mode, the caches of the two processors can be reloadeddifferently. If a switchover is now made to lock mode, the two cachesare not coherent with each other. Because of this, the two processorsmay diverge and, therefore, the comparators signal a fault. In order toavoid this, a flag table is set up in the IRAM Control. This tablerecords whether a cache line was written in lock mode or in split mode.In the lock mode, the corresponding entry for the cache line is set to0, and in the split mode, it is set to 1, even if the cache line of onlyone cache is updated. If the processor now performs a memory access inlock mode, then a check is made as to whether this cache line wasupdated in the lock mode, that is, whether it is identical in bothcaches. In the split mode, the process can always access the cache line,regardless of the state of the Flag_Vector. Only one such table needs toexist, because a fault causes the two processors to diverge and,therefore, this fault is reliably detected in the comparators. Since theaccess times to the central table are relatively high, this table mayalso be copied to each cache.

DramControl: In this component, the parity is generated for the address,data, and memory control signals from each processor.

For both processors, there is one process to lock the memory. Thisprocess does not need to be of safe design, because in the lock mode,erroneous memory accesses are detected by the comparators, and in thesplit mode, no safety-critical applications are executed. The processchecks whether the processor wishes to lock the memory for the otherprocessor. Such locking of the data memory is accomplished by accessingthe memory address $FBFF$=64511. This signal should be applied forexactly one clock pulse, even if a wait command is applied to theprocessor at the time the access is made. The finite automaton formanaging data memory accesses is formed by two main states:

processor state LOCK: The two processors operate in the lock mode. Thatis, the data memory locking functionality is not needed. Processor 1coordinates the memory accesses.

processor state SPLIT: now, access conflict resolution is needed on thedata memory, and memory locking must be possible.

The state in the split mode is, in turn, divided into 7 states, whichallow access conflicts to be resolved and the data memory to be lockedfor the respective other processor.

In the case of a simultaneous request of the two processors during anaccess, the specified order at the same time represents the priorityassignment.

Core1\_Lock: Processor 1 has locked the data memory. If, in this state,the processor 2 wishes to access the memory, then it is halted by a waitsignal until processor 1 releases the data memory. \

Core2\_Lock: This is same state as the previous one, except that nowprocessor 2 has locked the data memory and processor 1 is halted in thecase of data memory operations.

lock1\_wait: The data memory was locked by processor 2 when processor 1also wished to reserve it for itself. Therefore, processor 1 isearmarked for the next memory locking operation.

nex: The same for processor 2. The data memory was locked when processor1 attempted to lock it. The memory is pre-reserved for processor 2. Inthe case of normal memory access without locking, processor 2 canperform an access before processor 1 here, if, before that, it had beenthe turn of processor 1.

Memory access of processor 1: In this case, the memory is not locked.Processor 1 may access the data memory. If it wishes to lock the datamemory, it can do so in this state.

Memory access by processor 2. In the same clock pulse, processor 1 didnot wish to access the memory and, consequently, the memory is free forprocessor 2.

no processor wishes to access the data memory.

As mentioned earlier, the DDU is formed by the device for detecting theswitchover request (IIIOPDetect), the ModeSwitch unit and theIramControl and DramControl.

FIG. 3 is a schematic view showing a switchable dual-processor systemwith the caches. One cache memory is shown by way of example in FIG. 4.A distinction must be made between data cache and instruction cache. Ina non-switchable dual-processor system, no coherence problem occurs withrespect to an instruction cache. Therefore, no snooping has been used sofar. Here, the approach is now to perform snooping of the instructionsthat are loaded into the respective caches of the processors.

A table is set up:

set 0 tag 0 valid set 1 tag 1 not valid set 2 tag 2 valid . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . set 63 tag 63valid

Representation of the Cache Snooping Table.

In this table, one entry is provided for each cache line. Only one suchtable is needed for the switchable multiprocessor system. If the dataare written in lock mode, the corresponding line is marked valid in thistable. If a cache line is written in split mode, then the correspondingentry for this line is marked invalid.

In the split mode, each time a cache access is made, it is only checkedwhether it contains valid values. In the lock mode, however, this newtable is also queried. If the data are marked invalid in this table,there may indeed be valid data in the caches, but these data are notidentical in the caches. In the lock mode, the comparator of thedual-processor system would therefore indicate a fault, because the twoprocessors would diverge.

If this table is also used for the data memory, it must additionally bechecked whether, if the data were loaded in the lock mode, this cacheline was not only replaced in the split mode, but whether the data werealso updated by a processor in one of the caches.

Instruction Cache:

New Cache Valid Higher-Order Action Field Table Action system starts alldata all data up invalid invalid cache line is cache line cache lineloaded in lock valid valid mode cache line is cache line cache line Whenaccessing loaded in valid invalid the cache line in split mode lockmode, this cache line must be reloaded in all caches of the processorseven if it is already marked valid in one cache.

If a cache line is replaced with another one in the split mode in oneprocessor, then only the valid field must be replaced as invalid in thetable. There is no need to pay attention to the tag field.

A second variant of the table may be as follows:

Cache 1 Cache 2 Comparison set 0 tag 0 tag 0 identical set 1 tag 1 tag 1not identical set 2 tag 2 tag 2 identical . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . set 63tag 63 tag 63 identical

Cache Snooping Table According to Variant 2

The second variant of the table is that it includes only the set and tagfields, but for each member separately. This indeed makes the tablelarger, but the advantage is that, in the split mode, the systemcentrally documents for both caches what their contents look like. Then,in the lock mode, comparison of the tables makes it possible todetermine whether these data are identical in both caches. Thus, unlikethe first method, cache lines can be updated at different points intime, without being marked as invalid for the lock mode.

As explained above, the core of the present invention is the logging ofthe data in the cache. In addition to that, the object mentioned at theoutset is also achieved by the specific implementation described.

1-30. (canceled)
 31. A method for monitoring a memory unit in a systemincluding at least two processing units, the method comprising:switching between at least two operating modes of the system using aswitchover arrangement; and logging at least one of a memory content andan operating mode in which the memory content was generated.
 32. Themethod of claim 31, wherein with respect to the operating modes, adistinction is made between a performance mode and a safety mode, andthe logging includes recording which memory content was generated in theperformance mode.
 33. The method of claim 31, wherein with respect tothe operating modes, a distinction is made between a performance modeand a safety mode, and the logging includes recording which memorycontent was generated in the safety mode.
 34. The method of claim 31,wherein for logging purposes, a table is created, and the table isevaluated as a function of a mode signal indicative of the operatingmode of at least one of the processing units.
 35. The method of claim32, wherein with respect to the memory content, data are distinguishedfrom other memory contents or instructions, and the table additionallylogs whether the data were changed in the memory unit in the performancemode.
 36. The method of claim 33, wherein with respect to the memorycontent, data are distinguished from other memory contents orinstructions, and the table additionally logs whether the data werechanged in the memory unit in the safety mode.
 37. The method of claim31, wherein the logging additionally includes recording whether arespective memory content is valid.
 38. The method of claim 31, whereinall memory contents are invalidated when starting the processing units.39. The method of claim 31, wherein one memory unit is provided for eachprocessing unit, and the logging is performed for each memory unit, andwherein a comparison of the log is made for each of the memory units.40. The method of claim 39, wherein one table is created for the twoprocessing units during the logging.
 41. The method of claim 39, whereinone table is created for each of the processing units during thelogging, table entries being interchangeable between the tables.
 42. Themethod of claim 34, wherein table entries are checked for conformity.43. The method of claim 37, wherein validity information is evaluated inthe safety mode.
 44. A device for monitoring a memory unit in a systemincluding at least two processing units, comprising: a switchoverarrangement to allow switching between at least two operating modes ofthe system; and a logging arrangement to log at least one of a memorycontent and an operating mode in which the memory content was generated.45. The device of claim 44, wherein the memory unit includes a cachememory.
 46. The device of claim 44, wherein the memory unit includes atleast one validity field in which validity information of the memorycontent can be entered.
 47. The device of claim 44, wherein with respectto the operating modes, a distinction is made between a performance modeand a safety mode, and the logging includes recording which memorycontent was generated in the performance mode.
 48. The device of claim44, wherein with respect to the operating modes, a distinction is madebetween a performance mode and a safety mode, and the logging includesrecording which memory content was generated in the safety mode.
 49. Thedevice of claim 44, wherein a table is created for logging purposes, andthe table is evaluated as a function of a mode signal indicative of theoperating mode of at least one of the processing units.
 50. The deviceof claim 47, wherein with respect to the memory contents, data aredistinguished from other of the memory contents or instructions, and thetable logs whether the data were changed in the memory unit in theperformance mode.
 51. The device of claim 48, wherein with respect tothe memory contents, data are distinguished from other memory contentsor instructions, and the table logs whether the data were changed in thememory unit in the safety mode.
 52. The device of claim 44, wherein thelogging includes recording whether the respective memory content isvalid.
 53. The device of claim 44, wherein all of the memory contentsare invalidated when the processing units are started.
 54. The device ofclaim 44, wherein one memory unit is included for each of the processingunits, and the logging is performed for each of the memory units, acomparison of the log being made for each of the memory units.
 55. Thedevice of claim 54, wherein a table is included for the two processingunits during the logging.
 56. The device of claim 54, wherein a table iscreated for each of the processing units during the logging, the tableentries being interchangeable between the tables.
 57. The device ofclaim 49, wherein the table entries are checked for conformity.
 58. Thedevice of claim 46, wherein the validity information is evaluated in thesafety mode.
 59. A system comprising: a device for monitoring a memoryunit in a system including at least two processing units, including: aswitchover arrangement to allow switching between at least two operatingmodes of the system; and a logging arrangement to log at least one of amemory content and an operating mode in which the memory content wasgenerated.
 60. A memory unit comprising: a device for monitoring amemory unit in a system including at least two processing units,including: a switchover arrangement to allow switching between at leasttwo operating modes of the system; and a logging arrangement to log atleast one of a memory content and an operating mode in which the memorycontent was generated.